Does iptables supersede tcp wrappers?

[capitano]

I want to block a specific IP from visiting my web server (on private LAN). I'm using IPTABLES with NAT translation and MASQUERADING.

I've tried blocking the IP with /etc/hosts.deny but this isn't seeming to work. Do I need to add a line in my iptables -t nat to block this fellow?

In general, does iptables supersede tcp wrappers?

Thanks much for any help!

 

[ifincham]

Hi,

tcp wrappers is not directly related to iptables. The latter is a packet filtering / firewall with a history of (i) ipfwadm (ii) ipchains (iii) iptables.

tcp wrappers (/usr/sbin/tcpd) used to be used a lot for inetd controlled services but on systems like redhat with xinetd you can do most of the same stuff with xinetd itself. If you do :

rpm -q --whatrequires tcp_wrappers

.. you won't get many packages that depend on it (ypserv is one however).

So, yes you either need to filter the address with iptables or you can place access restrictions in your apache httpd.conf file (assuming thats the web server).

Regards

 

[capitano]

Are you very familiar with Portsentry? I'm experimenting with this package and trying to understand how it works with / or can compliment iptables-based firewall?

In my limited experience (and tests) so far, iptables blocks incomming network traffic before Portsentry even sees the traffic.

For example, I can drop all packets except from port 80:
iptables -A INPUT -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP

Now, if I try to telnet to my firewall from a public machine, I get timed out (because my packets are dropped), however Portsentry doesn't seem to "do it's job" by logging an attack alert and placing the violator's IP into hosts.deny. Of course, if I turn off iptables, then Portsentry does log the attack, and so forth.

I don't understand the point, then, of having Portsentry on a machine with a firewall. Is it just the self-assurance of having "one more line of defense" should an attacker crack the firewall??

 

[marsd]

The idea of something like portsentry is that there are
certain services and/or traffic you want either allowed
or monitored.
If you just want a flat denial of the traffic you can use iptables to block it with a rule. You can also log this
traffic, and use stateful filtering for more info and security.

For example say I have a webserver accepting connections
on standard service ports and I want to monitor traffic
and connections established to my webserver.
I would allow the traffic through iptables, configure portsentry in a a way which gives me a warning of bad traffic and configure additional rules to deal with
this traffic as necessary.

In other words port sentry can tell me much more about
the traffic coming into my webserver than iptables can.
Iptables is a firewall, portsentry is (sort of) an ids.

For more info on this topic check out :
"Intrusion Signatures and Analysis" put out by sans-giac
Also see SNORT and ARACHnids via your favorite search
engine, for a very powerful IDS and pregenerated def-
initions.